-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-EN-07:03.rc.d_jail                                      Errata Notice
                                                          The FreeBSD Project

Topic:          rc.d jail script interface IP alias removal

Category:       core
Module:         etc_rc.d
Announced:      2007-02-28
Credits:        Philipp Wuensche
Affects:        FreeBSD 6.2-RELEASE.
Corrected:      2007-01-02 11:14:07 UTC (RELENG_6, 6.2-STABLE)
                2007-02-28 18:24:37 UTC (RELENG_6_2, 6.2-RELEASE-p2)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:http://security.freebsd.org/>.

I.   Background

The jail(2) system call allows a system administrator to lock a process
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges.  It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.

The host's jail rc.d(8) script can be used to start and stop jails
automatically on system boot/shutdown.  The jail_interface rc.conf(5)
variable can be used to automatically add and remove an IP address on
a specific network interface when a jail starts and stops.

II.  Problem Description

A cleanup of the rc.d jail script did not rename the variables used by
the jail_interface feature when removing the IP address in the case
where the jail startup fails.  This may result in ifconfig(8) being
run with incorrect arguments.

III. Impact

Since the wrong variable is used, in some cases, ifconfig(8) will
remove an arbitrary IP address instead of the IP address of the jail
if startup of a jail fails.  It may be possible for a user with root
access in a jail to provoke this situation by intentionally making
jail startup fail.

IV.  Workaround

Do not use the jail_interface feature; instead, manually configure IP
addresses for the jails.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or to the RELENG_6_2
security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.2
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/EN-07:03/rc.d_jail.patch
# fetch http://security.FreeBSD.org/patches/EN-07:03/rc.d_jail.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# install -o root -g wheel -m 555 etc/rc.d/jail /etc/rc.d

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_6
  src/etc/rc.d/jail                                              1.23.2.8
RELENG_6_2
  src/UPDATING                                             1.416.2.29.2.5
  src/sys/conf/newvers.sh                                   1.69.2.13.2.5
  src/etc/rc.d/jail                                          1.23.2.7.2.2
- -------------------------------------------------------------------------

The latest revision of this Errata Notice is available at
http://security.FreeBSD.org/advisories/FreeBSD-EN-07:03.rc.d_jail.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)

iD8DBQFF5ct8FdaIBMps37IRAu3qAKCHNEFb/kqTVyFSllHyG6YOg+qccACfbmfI
CiEeWDDU73GVG+T15VeGH2Q=
=EQyo
-----END PGP SIGNATURE-----
